Skip to main content
This integration guide covers the integration between the KMES Series 3 and Azure Key Vault BYOK.

About Azure Key Vault

Azure Key Vault enables you to manage keys, secrets, and certificates without needing to store security information in the code. You can centralize application secrets and securely store secrets and keys backed by Hardware Security Modules (HSMs). Key Vault logs access and usage of your secrets so you have a complete audit trail for compliance. For more general information about Azure Key Vault, refer to the following article on the Microsoft website: https://docs.microsoft.com/en-us/azure/key-vault/general/overview

What is BYOK?

The Key Vault BYOK (Bring Your Own Key) feature enables importing existing asymmetric keys into a Key Vault. With this integration, you can create asymmetric HSM Protected keys on a KMES Series 3 device and push those keys to an Azure Key vault by using the KMES application interface. You can use keys pushed to a Key Vault with the following services inside Azure:
  • Azure Disk Encryption
  • The always encrypted and Transparent Data Encryption functionality in SQL Server and Azure SQL Database
  • Azure App Service
Azure Key Vault also has an API that you can use with your applications to access and use keys stored in Azure Key Vault. With this integration, you create and store keys on the KMES Series 3, synchronize them to an Azure Key Vault, and manage them through the KMES application interface.

Key benefits of the integration

The Azure Key Vault BYOK and KMES Series 3 integration provides the following benefits:
Key ProvenanceYou are the sole owner of your keys, so you can control their location and distribution.
Added assuranceKeys that you create on the KMES and import into Azure never leave the HSM boundary. Even after they are in Azure, the keys are stored on hardware security modules on the backend.
Centralized key managementYou can manage your keys and access policies from a single location and user interface, whether the data they protect resides in the cloud or on your premises.
Audit complianceMany audits require you to escrow keys outside of the cloud provider. This integration accomplishes this requirement.

Integration overview

To integrate KMES Series 3 with Azure Key Vault BYOK, you must perform the following tasks:
  1. Configure Azure credentials for communication with the KMES Series 3.
  2. Configure the KMES Series 3 for Integrating with Azure.
  3. Azure Key Vault integration and key operations.
The following sections describe how to perform these tasks and how to monitor their progress and audit logs.